Medium severity5.3NVD Advisory· Published May 7, 2026· Updated May 13, 2026

CVE-2026-39819

Description

The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

go.dev/cl/763882nvdPatch
pkg.go.dev/vuln/GO-2026-4978nvdVendor Advisory
go.dev/issue/78584nvdIssue Tracking
groups.google.com/g/golang-announce/c/qcCIEXso47MnvdIssue TrackingMailing List

News mentions

Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000